Add local IUSR account to remote machines for access to mdb file?

[cbsarge]

I have 2 Windows 2003 servers. A server that our website on it running on IIS6. I have a second server that has an Access database on it that contains login info (and other stuff) for the website. It's also used for a proprietary application we use so I'd rather not have to move it. I have set up an odbc system dsn to the Access database on the remote server. It fails to log in and there is an access denied message in the security log on the server with the database. The server with the website is using it's local IUSR_machine account for the website. I've tried setting up the odbc using the Domain Admin account but, it seems to ignore that. If I make a copy of the Access database and put it on the same server as the website it works fine.

My question is can I add the IUSR_webserver account to the remote database server's users group?

If not, what might some other ways to go about this be? I saw a KB that suggested making the IUSR account on both systems have the same password but, that didn't seem to work.

 

[WhoKilledKenny]

I have set up an odbc system dsn to the Access database on the remote server. It fails to log in and there is an access denied message in the security log on the server with the database.

The ODBC connection is on the web server. Is the an external web server which is not part of a domain? Meaning is the web server a stand alone server in a DMZ and the Databse server a member server of your domain? or is the an internal site with both the web and DB server on your domain?

If it is a External web server, you should be able to connect using ODBC (on the web server) using a Local Account/password (created on the DB server) that has access to the database. When you move the DB to the web server it works... I would suspect that either a Local Account has not been setup and/or ports on the firewall that allow communication between the Web server and the DB Server need to be opened.

 

[Sheco]

Have you considered using the IIS Admin tool to change the account used for anonymous access? Perhaps you could use a domain account instead of a local account. For security reasons you wouldn't want it to have much in the way of permissions to anything else besides the folder containing the Access file.

 

[Sheco]

I was assuming the boxen are in the same domain.

 

[cbsarge]

The machines are all on the same domain. I ended up getting it to work by creating a local account on the database server with the same name and password as the IUSR_webserver account from the web server. I also had to reset the IUSR_webserver password at the root of the web after that - same account but, with the updated password. I am now able to log in to the site with tha database still on the remote server.

Thanks to all for the suggestions!

 

[Cstorms]

Couldnt you have setup ntfs permissions on the database file and left anonymous access to whatever defaults you had, as long as your using windows authentication the domain users would have had access to it.

 

[cbsarge]

I wasn't clear - the website is our public website for customers and what-not. I need the IUSR account. I guess I could create a domain IUSR account and use that then give it permissions on both machines but, this worked too.

...now I just have to remember to not change the password unless I do it in both places!

Thanks again!

 

[itsp1965]

Be careful because if I am not mistaken the IUSR_server password is dynamic in nature and resets itself at specific intervals. You are best served by enabling an authentication method on your server other than anonymous and use this account to be able to access your database.

 

[WhoKilledKenny]

You should create a local account, itsp1965 is correct. I would not create a domain IUSR account either, Security issue...